compliance controls are associated with this Policy definition 'Check for privacy and security compliance before establishing internal connections' (ee4bbbbb-2e52-9adb-4e3a-e641f7ac68ab)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
CA-9 |
FedRAMP_High_R4_CA-9 |
FedRAMP High CA-9 |
Security Assessment And Authorization |
Internal System Connections |
Shared |
n/a |
The organization:
a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.
Supplemental Guidance: This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration. Related controls: AC-3, AC-4, AC-18, AC-19, AU-2, AU-12, CA-7, CM-2, IA-3, SC-7, SI-4.
References: None. |
link |
1 |
| FedRAMP_Moderate_R4 |
CA-9 |
FedRAMP_Moderate_R4_CA-9 |
FedRAMP Moderate CA-9 |
Security Assessment And Authorization |
Internal System Connections |
Shared |
n/a |
The organization:
a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.
Supplemental Guidance: This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration. Related controls: AC-3, AC-4, AC-18, AC-19, AU-2, AU-12, CA-7, CM-2, IA-3, SC-7, SI-4.
References: None. |
link |
1 |
| hipaa |
0819.09m1Organizational.23-09.m |
hipaa-0819.09m1Organizational.23-09.m |
0819.09m1Organizational.23-09.m |
08 Network Protection |
0819.09m1Organizational.23-09.m 09.06 Network Security Management |
Shared |
n/a |
A current network diagram (including wireless networks) exists, and is updated whenever there are network changes and no less than every six months. |
|
2 |
| hipaa |
0836.09.n2Organizational.1-09.n |
hipaa-0836.09.n2Organizational.1-09.n |
0836.09.n2Organizational.1-09.n |
08 Network Protection |
0836.09.n2Organizational.1-09.n 09.06 Network Security Management |
Shared |
n/a |
The organization formally authorizes and documents the characteristics of each connection from an information system to other information systems outside the organization. |
|
4 |
| hipaa |
0863.09m2Organizational.910-09.m |
hipaa-0863.09m2Organizational.910-09.m |
0863.09m2Organizational.910-09.m |
08 Network Protection |
0863.09m2Organizational.910-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization builds a firewall configuration that restricts connections between untrusted networks and any system components in the covered information environment; and any changes to the firewall configuration are updated in the network diagram. |
|
25 |
| hipaa |
0865.09m2Organizational.13-09.m |
hipaa-0865.09m2Organizational.13-09.m |
0865.09m2Organizational.13-09.m |
08 Network Protection |
0865.09m2Organizational.13-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization (i) authorizes connections from the information system to other information systems outside of the organization through the use of interconnection security agreements or other formal agreement; (ii) documents each connection, the interface characteristics, security requirements, and the nature of the information communicated; (iii) employs a deny-all, permit-by-exception policy for allowing connections from the information system to other information systems outside of the organization; and, (iv) applies a default-deny rule that drops all traffic via host-based firewalls or port filtering tools on its endpoints (workstations, servers, etc.), except those services and ports that are explicitly allowed. |
|
5 |
| ISO27001-2013 |
A.12.4.1 |
ISO27001-2013_A.12.4.1 |
ISO 27001:2013 A.12.4.1 |
Operations Security |
Event Logging |
Shared |
n/a |
Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. |
link |
53 |
| ISO27001-2013 |
A.12.4.3 |
ISO27001-2013_A.12.4.3 |
ISO 27001:2013 A.12.4.3 |
Operations Security |
Administrator and operator logs |
Shared |
n/a |
System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. |
link |
29 |
| ISO27001-2013 |
A.15.1.2 |
ISO27001-2013_A.15.1.2 |
ISO 27001:2013 A.15.1.2 |
Supplier Relationships |
Addressing security within supplier agreement |
Shared |
n/a |
All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization's information. |
link |
24 |
| ISO27001-2013 |
A.16.1.7 |
ISO27001-2013_A.16.1.7 |
ISO 27001:2013 A.16.1.7 |
Information Security Incident Management |
Collection of evidence |
Shared |
n/a |
The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information which can serve as evidence. |
link |
7 |
| ISO27001-2013 |
A.18.2.2 |
ISO27001-2013_A.18.2.2 |
ISO 27001:2013 A.18.2.2 |
Compliance |
Compliance with security policies and standards |
Shared |
n/a |
Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. |
link |
36 |
| NIST_SP_800-53_R4 |
CA-9 |
NIST_SP_800-53_R4_CA-9 |
NIST SP 800-53 Rev. 4 CA-9 |
Security Assessment And Authorization |
Internal System Connections |
Shared |
n/a |
The organization:
a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.
Supplemental Guidance: This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration. Related controls: AC-3, AC-4, AC-18, AC-19, AU-2, AU-12, CA-7, CM-2, IA-3, SC-7, SI-4.
References: None. |
link |
1 |
| NIST_SP_800-53_R5 |
CA-9 |
NIST_SP_800-53_R5_CA-9 |
NIST SP 800-53 Rev. 5 CA-9 |
Assessment, Authorization, and Monitoring |
Internal System Connections |
Shared |
n/a |
a. Authorize internal connections of [Assignment: organization-defined system components or classes of components] to the system;
b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;
c. Terminate internal system connections after [Assignment: organization-defined conditions]; and
d. Review [Assignment: organization-defined frequency] the continued need for each internal connection. |
link |
1 |
|
op.exp.7 Incident management |
op.exp.7 Incident management |
404 not found |
|
|
|
n/a |
n/a |
|
103 |
|
op.exp.8 Recording of the activity |
op.exp.8 Recording of the activity |
404 not found |
|
|
|
n/a |
n/a |
|
67 |
|
op.exp.9 Incident management record |
op.exp.9 Incident management record |
404 not found |
|
|
|
n/a |
n/a |
|
30 |
|
op.ext.1 Contracting and service level agreements |
op.ext.1 Contracting and service level agreements |
404 not found |
|
|
|
n/a |
n/a |
|
35 |
|
op.nub.1 Cloud service protection |
op.nub.1 Cloud service protection |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
op.pl.5 Certified components |
op.pl.5 Certified components |
404 not found |
|
|
|
n/a |
n/a |
|
26 |
|
org.2 Security regulations |
org.2 Security regulations |
404 not found |
|
|
|
n/a |
n/a |
|
100 |
| PCI_DSS_v4.0 |
1.2.3 |
PCI_DSS_v4.0_1.2.3 |
PCI DSS v4.0 1.2.3 |
Requirement 01: Install and Maintain Network Security Controls |
Network security controls (NSCs) are configured and maintained |
Shared |
n/a |
An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks. |
link |
1 |
| SWIFT_CSCF_v2022 |
1.1 |
SWIFT_CSCF_v2022_1.1 |
SWIFT CSCF v2022 1.1 |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. |
Shared |
n/a |
A separated secure zone safeguards the user's SWIFT infrastructure from compromises and attacks on the broader enterprise and external environments. |
link |
19 |